France's regulatory body dealing with data privacy has fined Google €50 million regarding advertisers’ access to users' personal data, it announced on Monday.
ADVERTISEMENTFrance's regulatory body dealing with data privacy has fined Google €50 million regarding advertisers’ access to users' personal data, it announced on Monday.
The National Commission on Informatics and Liberty (CNIL) said Google LLC received the financial penalty for a "lack of transparency, inadequate information and lack of valid consent regarding advert personalization."
It marks the first time the CNIL has used the EU's strict General Data Protection Regulation (GDPR).
READ MORE: GDPR explained: what the EU’s major new data protection rules mean for you
The authority said Google did not take appropriate measures when asking users for their data.
"The restricted committee observes that the users’ consent is not sufficiently informed," the CNIL wrote in a statement.
It added that "the collected consent is neither 'specific' nor 'unambiguous',” because it was difficult for users to modify preferences on where their data was used, particularly concerning targeted ads.
"The user not only has to click on the button 'More options' to access the configuration, but the display of the ads personalization is moreover pre-ticked," the body wrote.
Two advocacy groups, None Of Your Business (NOYB) and La Quadrature du Net (LQDN), filed group complaints with the CNIL in May 2018. LQDN filed on behalf of 10,000 individuals.
The organisations "reproach GOOGLE for not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalization purposes."
The CNIL launched an investigation "immediately" after these complaints were submitted.
"The amount decided and the publicity of the fine are justified by the severity of the infringements observed regarding the essential principles of the General Data Protection Regulation (GDPR): transparency, information and consent," the regulatory organisation said.
"Moreover, the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement."
Google said in a statement: "People expect high standards of transparency and control from us. We're deeply committed to meeting those expectations and the consent requirements of the GDPR.
"We're studying the decision to determine our next steps."